mirror of
https://github.com/containers/podman.git
synced 2025-05-21 17:16:22 +08:00
377 lines
11 KiB
Go
377 lines
11 KiB
Go
package trust
|
|
|
|
import (
|
|
"encoding/json"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/containers/image/v5/signature"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestPolicyDescription(t *testing.T) {
|
|
tempDir := t.TempDir()
|
|
policyPath := filepath.Join(tempDir, "policy.json")
|
|
|
|
// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
|
|
// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
|
|
idReader := func(keyPath string) []string {
|
|
require.True(t, strings.HasPrefix(keyPath, "/"))
|
|
require.True(t, strings.HasSuffix(keyPath, ".pub"))
|
|
return strings.Split(keyPath[1:len(keyPath)-4], ",")
|
|
}
|
|
|
|
for _, c := range []struct {
|
|
policy *signature.Policy
|
|
expected []*Policy
|
|
}{
|
|
{
|
|
&signature.Policy{
|
|
Default: signature.PolicyRequirements{
|
|
signature.NewPRReject(),
|
|
},
|
|
Transports: map[string]signature.PolicyTransportScopes{
|
|
"docker": {
|
|
"quay.io/accepted": {
|
|
signature.NewPRInsecureAcceptAnything(),
|
|
},
|
|
"registry.redhat.io": {
|
|
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
"registry.access.redhat.com": {
|
|
xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
"quay.io/multi-signed": {
|
|
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
"quay.io/sigstore-signed": {
|
|
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "all",
|
|
Name: "* (default)",
|
|
RepoName: "default",
|
|
Type: "reject",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "quay.io/accepted",
|
|
RepoName: "quay.io/accepted",
|
|
Type: "accept",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "quay.io/multi-signed",
|
|
RepoName: "quay.io/multi-signed",
|
|
Type: "signed",
|
|
SignatureStore: "https://quay.example.com/sigstore",
|
|
GPGId: "1",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "quay.io/multi-signed",
|
|
RepoName: "quay.io/multi-signed",
|
|
Type: "signed",
|
|
SignatureStore: "https://quay.example.com/sigstore",
|
|
GPGId: "2, 3",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "quay.io/sigstore-signed",
|
|
RepoName: "quay.io/sigstore-signed",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "",
|
|
GPGId: "N/A",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "quay.io/sigstore-signed",
|
|
RepoName: "quay.io/sigstore-signed",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "",
|
|
GPGId: "N/A",
|
|
},
|
|
{
|
|
Transport: "repository",
|
|
Name: "registry.access.redhat.com",
|
|
RepoName: "registry.access.redhat.com",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat, redhat-beta",
|
|
}, {
|
|
Transport: "repository",
|
|
Name: "registry.redhat.io",
|
|
RepoName: "registry.redhat.io",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
&signature.Policy{
|
|
Default: signature.PolicyRequirements{
|
|
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "all",
|
|
Name: "* (default)",
|
|
RepoName: "default",
|
|
Type: "signed",
|
|
SignatureStore: "",
|
|
GPGId: "1",
|
|
},
|
|
{
|
|
Transport: "all",
|
|
Name: "* (default)",
|
|
RepoName: "default",
|
|
Type: "signed",
|
|
SignatureStore: "",
|
|
GPGId: "2, 3",
|
|
},
|
|
},
|
|
},
|
|
} {
|
|
policyJSON, err := json.Marshal(c.policy)
|
|
require.NoError(t, err)
|
|
err = os.WriteFile(policyPath, policyJSON, 0600)
|
|
require.NoError(t, err)
|
|
|
|
res, err := policyDescriptionWithGPGIDReader(policyPath, "./testdata", idReader)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, c.expected, res)
|
|
}
|
|
}
|
|
|
|
func TestDescriptionsOfPolicyRequirements(t *testing.T) {
|
|
// Override getGPGIdFromKeyPath because we don't want to bother with (and spend the unit-test time on) generating valid GPG keys, and running the real GPG binary.
|
|
// Instead of reading the files at all, just expect file names like /id1,id2,...,idN.pub
|
|
idReader := func(keyPath string) []string {
|
|
require.True(t, strings.HasPrefix(keyPath, "/"))
|
|
require.True(t, strings.HasSuffix(keyPath, ".pub"))
|
|
return strings.Split(keyPath[1:len(keyPath)-4], ",")
|
|
}
|
|
|
|
template := Policy{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
}
|
|
registryConfigs, err := loadAndMergeConfig("./testdata")
|
|
require.NoError(t, err)
|
|
|
|
for _, c := range []struct {
|
|
scope string
|
|
reqs signature.PolicyRequirements
|
|
expected []*Policy
|
|
}{
|
|
{
|
|
"",
|
|
signature.PolicyRequirements{
|
|
signature.NewPRReject(),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "reject",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
"quay.io/accepted",
|
|
signature.PolicyRequirements{
|
|
signature.NewPRInsecureAcceptAnything(),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "accept",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
"registry.redhat.io",
|
|
signature.PolicyRequirements{
|
|
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
"registry.access.redhat.com",
|
|
signature.PolicyRequirements{
|
|
xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat, redhat-beta",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
"quay.io/multi-signed",
|
|
signature.PolicyRequirements{
|
|
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://quay.example.com/sigstore",
|
|
GPGId: "1",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://quay.example.com/sigstore",
|
|
GPGId: "2, 3",
|
|
},
|
|
},
|
|
}, {
|
|
"quay.io/sigstore-signed",
|
|
signature.PolicyRequirements{
|
|
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "",
|
|
GPGId: "N/A",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "",
|
|
GPGId: "N/A",
|
|
},
|
|
},
|
|
},
|
|
{ // Multiple kinds of requirements are represented individually.
|
|
"registry.redhat.io",
|
|
signature.PolicyRequirements{
|
|
signature.NewPRReject(),
|
|
signature.NewPRInsecureAcceptAnything(),
|
|
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
|
|
},
|
|
[]*Policy{
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
Type: "reject",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
Type: "accept",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "redhat, redhat-beta",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "1",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "signed",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "2, 3",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "N/A",
|
|
},
|
|
{
|
|
Transport: "transport",
|
|
Name: "name",
|
|
RepoName: "repoName",
|
|
Type: "sigstoreSigned",
|
|
SignatureStore: "https://registry.redhat.io/containers/sigstore",
|
|
GPGId: "N/A",
|
|
},
|
|
},
|
|
},
|
|
} {
|
|
reqsJSON, err := json.Marshal(c.reqs)
|
|
require.NoError(t, err)
|
|
var parsedRegs []repoContent
|
|
err = json.Unmarshal(reqsJSON, &parsedRegs)
|
|
require.NoError(t, err)
|
|
|
|
res := descriptionsOfPolicyRequirements(parsedRegs, template, registryConfigs, c.scope, idReader)
|
|
assert.Equal(t, c.expected, res)
|
|
}
|
|
}
|